On April 4, 2019 I appeared before the Senate Standing Committee on Banking, Trade and Commerce (BANC) which has been holding hearings on Open Banking, following the launch of a public consultation on Open Banking by the federal government. Open banking is an interesting digital innovation initiative with both potential and risks. I wrote earlier about open banking and some of the privacy issues it raises here. I was invited by the BANC Committee to discuss ‘data ownership’ in relation to open banking. The text of my open remarks to the committee is below. My longer paper on Data Ownership is here.

_______________

Thank you for this invitation and opportunity to meet with you on the very interesting subject of Open Banking, and in particular on data ownership questions in relation to open banking.

I think it is important to think about open banking as the tip of a data iceberg. In other words, if Canada moves forward with open banking, this will become a test case for rendering standardized data portable in the hands of consumers with the goal of providing them with more opportunities and choices while at the same time stimulating innovation.

The question of data ownership is an interesting one, and it is one that has become of growing importance in an economy that is increasingly dependent upon vast quantities of data.However, the legal concept of ‘ownership’ is not a good fit with data. There is no data ownership right per se in Canadian law (or in law elsewhere in comparable jurisdictions, although in the EU the idea has recently been mooted). Instead, we have a patchwork of laws that protect certain interests in data. I will give you a very brief overview before circling back to data portability and open banking.

The law of confidential information exists to protect interests in information/data that is kept confidential. Individuals or corporations are often said to ‘own’ confidential information. But the value of this information lies in its confidentiality, and this is what the law protects. Once confidentiality is lost, so is exclusivity – the information is in the public domain.

The Supreme Court of Canada in 1988 also weighed in on the issue of data ownership – albeit in the criminal law context. They ruled in R. v. Stewart that information could not be stolen for the purposes of the crime of theft, largely because of its intangible nature. Someone could memorize a confidential list of names without removing the list from the possession of its ‘owner’. The owner would be deprived of nothing but the confidentiality of and control over the information.

It is a basic principle of copyright law that facts are in the public domain. There is good reason for this. Facts are seen as the building blocks of expression, and no one should have a monopoly over them. Copyright protects only the original expression of facts. Under copyright law, it is possible to have protection for a compilation of facts – the original expression will lie in the way in which the facts are selected or arranged. It is only that selection or arrangement that is protected – not the underlying facts. This means that those who create compilations of fact may face some uncertainty as to their existence and scope of any copyright. The Federal Court of Appeal, for example, recently ruled that there was no copyright in the Ontario Real Estate Board’s real estate listing data.

Of course, the growing value of data is driving some interesting arguments – and decisions – in copyright law. A recent Canadian case raises the possibility that facts are not the same as data under copyright law. This issue has also arisen in the US. Some data are arguably ‘authored’, in the sense that they would not exist without efforts to create them. Predictive data generated by algorithms are an example, or data that require skill, judgment and interpretation to generate. Not that many years ago, Canada Post advanced the argument that they had copyright in a postal code. In the US, a handful of cases have recognized certain data as being ‘authored’, but even in those cases, copyright protection has been denied on other grounds. According ownership rights over data – and copyright law provides a very extended period of protection – would create significant issues for expression, creation and innovation.

The other context in which the concept of data ownership arises is in relation to personal information. Increasingly we hear broad statements about how individuals ‘own’ their personal information. These are not statements grounded in law. There is no legal basis for individuals to be owners of their personal information. Individuals do have interests in their personal information. These interests are defined and protected by privacy and data protection laws (as well as by other laws relating to confidentiality, fiduciary duties, and so on). The GDPR in Europe was a significant expansion/enhancement of these interests, and reform of PIPEDA in Canada – if it ever happens – could similarly enhance the interests that individuals have in their personal data.

Before I speak more directly of these interests – and in particular of data portability – I want to just mention why it is that it is difficult to conceive of interests in personal data in terms of ownership.

What personal data could you be said to own, and what would it mean? Some personal data is observable in public contexts. Do you own your name and address? Can you prevent someone from observing you at work every day and deciding you are regularly late and have no dress sense? Is that conclusion your personal information or their opinion? Or both? If your parents’ DNA might reveal your own susceptibility to particular diseases, is their DNA your personal information? If an online bookstore profiles you as someone who likes to read Young Adult Literature – particularly vampire themed – is that your personal information or is it the bookstore’s? Or is it both? Data is complex and there may be multiple interests implicated in the creation, retention and use of various types of data – whether it is personal or otherwise. Ownership – a right to exclusive possession – is a poor fit in this context. And the determination of ownership on the basis of the ‘personal’ nature of the data will overlook the fact that there may be multiple interests entangled in any single datum.

What data protection laws do is define the nature and scope of a person’s interest in their personal information in particular contexts. In Canada, we have data protection laws that apply with respect to the public sector, the private sector, and the health sector. In all cases, individuals have an interest in their personal information which is accompanied by a number of rights. One of these is consent – individuals generally have a right to consent to the collection, use or disclosure of their personal information. But consent for collection is not required in the public sector context. And PIPEDA has an ever-growing list of exceptions to the requirements for consent to collection, use or disclosure. This shows how the interest is a qualified one. Fair information principles reflected in our data protection laws place a limit on the retention of personal information – when an organization that has collected personal information that is now no longer required for the purpose for which it is collected, their obligation is to securely dispose of it – not to return it to the individual. The individual has an interest in their personal information, but they do not own it. And, as data protection laws make clear, the organizations that collect, use and disclose personal information also have an interest in it – and they may also assert some form of ownership rights over their stores of personal information.

As I mentioned earlier, the GDPR has raised the bar for data protection world-wide. One of the features of the GDPR is that it greatly enhances the nature and quality of the data subject’s interest in their personal information. The right to erasure, for example, limited though it might be, gives individuals control over personal information that they may have, at one time, shared publicly. The right of data portability – a right that is reflected to some degree in the concept of open banking – is another enhancement of the control exercised by individuals over their personal information.

What portability means in the open banking context is that individuals will have the right to provide access to their personal financial data to a third party of their choice (presumably from an approved list). While technically they can do that now, it is complicated and not without risk. In open banking, the standard data formats will make portability simple, and will enhance the ability to bring the data together for analysis and to provide new tools and services. Although individuals will still not own their data, they will have a further degree of control over it. Thus, open banking will enhance the interest that individuals have in their personal financial information. This is not to say that it is not without risks or challenges.

Digital and data governance is challenging at the best of times. It has been particularly challenging in the context of Sidewalk Labs’ proposed Quayside development for a number of reasons. One of these is (at least from my point of view) an ongoing lack of clarity about who will ‘own’ or have custody or control over all of the data collected in the so-called smart city. The answer to this question is a fundamentally important piece of the data governance puzzle.

The documentation prepared for the December 13, 2018 Digital Strategy Advisory Panel (DSAP) meeting includes a slide that sets out implementation requirements for the Quayside development plan in relation to data and digital governance. A key requirement is: “Compliance with or exceedance of all applicable laws, regulations, policy documents and contractual obligations” (page 95). This is fine in principle, but it is not enough on its own to say that the Quayside project must “comply with all applicable laws”. At some point, it is necessary to identify what those applicable laws are. This has yet to be done. And the answer to the question of which laws apply in the context of privacy, transparency and data governance, depends upon who ultimately is considered to ‘own’ or have ‘custody or control’ of the data.

So – whose data is it? It is troubling that this remains unclear even at this stage in the discussions. The fact that Sidewalk Labs has been asked to propose a data governance scheme suggests that Sidewalk and Waterfront may be operating under the assumption that the data collected in the smart city development will be private sector data. There are indications buried in presentations and documentation that also suggest that Sidewalk Labs considers that it will ‘own’ the data. There is a great deal of talk in meetings and in documents about PIPEDA, which also indicates that there is an assumption between the parties that the data is private sector data. But what is the basis for this assumption? Governments can contract with a private sector company for data collection, data processing or data stewardship – but the private sector company can still be considered to act as an agent of the government, with the data being legally under the custody or control of the government and subject to public sector privacy and freedom of information laws. The presence of a private sector actor does not necessarily make the data private sector data.

If the data is private sector data, then PIPEDA will apply, and there will be no applicable access to information regime. PIPEDA also has different rules regarding consent to collection than are found in MFIPPA. If the data is considered ultimately to be municipal data, then it will be subject to MFIPPA’s rules regarding access and privacy, and it will be governed by the City of Toronto’s information management policies. These are very different regimes, and so the question of which one applies is quite fundamental. It is time for there to be a clear and forthright answer to this question.

Last year I attended a terrific workshop at UBC’s Allard School of Law. The workshop was titled ‘Property in the City’, and panelists presented work on a broad range of issues relating to law in the urban environment. A special issue of the UBC Law Review has just been published featuring some of the output of this workshop. The issue contains my own paper (discussed below and available here) that explores skirmishes over access to and use of Airbnb platform data.

Airbnb is a ‘sharing economy’ platform that facilitates the booking of short-term accommodation. The company is premised on the idea that many urban dwellers have excess space – rooms in homes or apartments – or have space they do not use at certain periods of the year (entire homes or apartments while on vacation, for example) – and that a digital marketplace can maximize efficient use of this space by matching those seeking temporary accommodation with those having excess space. The Airbnb web site claims that it “connects people to unique travel experiences at any price point” and at the same time “is the easiest way for people to monetize their extra space and showcase it to an audience of millions.”

This characterization of Airbnb is open to challenge. Several studies, including ones by the Canadian Centre for Policy Alternatives, the City of Vancouver, and the NY State Attorney General suggest that a significant number of units for rent on Airbnb are offered as part of commercial enterprises. The description also belies Airbnb’s disruptive impact. The re-characterization and commodification of ‘surplus’ private spaces neatly evades the regulatory frameworks designed for the marketing of short-term accommodation and leaves licensed short-term accommodation providers complaining that their highly regulated businesses are being undermined by competition from those not bearing the same regulatory burdens. At the same time, many housing advocates and city officials are concerned about the impact of platforms such as Airbnb on the availability and affordability of long-term housing.

These challenges are made more difficult to address by the fact that the data needed to understand the impact of platform companies, along with data about short-term rentals that would otherwise be captured through regulatory processes, are effectively privatized in the hands of Airbnb. Data deficits of this kind pose a challenge to governments, civil society and researchers..

My paper explores the impact of a company such as Airbnb on cities from the perspective of data. I argue that platform-based, short-term rental activities have a fundamental impact on what data are available to municipal governments who struggle to regulate in the public interest, as well as to civil society groups and researchers that attempt to understand urban housing issues. The impacts of platform companies are therefore not just disruptive of incumbent industries; they disrupt planning and regulatory processes by masking activities and creating data deficits. My paper considers some of the currently available solutions to the data deficits, which range from self-help type recourses such as data scraping to entering into data-sharing agreements with the platform companies. Each of these solutions has its limits and drawbacks. I argue that further action may be required by governments to ensure their data needs are adequately met.

Although this paper focuses on Airbnb, it is worth noting that the data deficits discussed in the paper are merely a part of a larger context in which evolving technologies shift control over some kinds of data from public to private hands. Ensuring the ability of governments and civil society to collect, retain, and share data of a sufficient quality to both enable and to enhance governance, transparency, and accountability should be priorities for municipal governments, and should also be supported by law and policy at provincial and federal levels.

In early July 2017 I attended an excellent workshop hosted by researchers at the Centre for Information Technology, Society and Law at the University of Zurich. The objective of the workshop was to bring a group of academic experts together to discuss data ownership rights.

It is perhaps not surprising that the issue of ownership rights in data is bubbling to the surface as we move further into the evolving big data environment. Data have been described as the new “oil” of the information society. They have a tremendous value and are strongly linked to innovation. One of the ways in which industrialized nations have nurtured innovation has been through the creation of intangible property rights such as intellectual property rights. Data ownership rights flow from that same industrial era mind set. However, it is far from clear that this paradigm is a good fit for data and data-related innovation.

In fact, the way data are made available and the extent to which data are flowing across sectors and organizations, play a fundamental role in sustaining and developing the emergence of a European data-driven economy. In defining and specifying the rights to create, edit, modify, share and restrict access to data, data ownership becomes a pivotal factor affecting a growing number of potential data users and an increasing range of data-related activities.

One might perhaps be forgiven for thinking that there are already data ownership rights; for example, terms of service for websites frequently state that the company behind the website “owns” its data. Canada’s federal government even got its knuckles rapped by the Federal Court of Appeal for making a similar copyright-based claim in one of its data licences (see my post on this decision here). And, while the law of confidential information could be argued to provide a kind of property right in data or information, in reality what is protected by this body of law is the confidentiality of the information. Once confidentiality is lost, it is clear that there is no underlying ‘property’ right in the data.

Policy makers have long been wary of extending IP rights to data – and for some very good reasons. Copyright law, for example, does not protect “facts”, viewing them instead as the building blocks for creativity and expression, and therefore part of the public domain. Of course, copyright law does protect the original selection and arrangement that goes into creating a compilation of facts (i.e. a data set). How extensive this protection ultimately is depends on what a court sees as the taking of a substantial part of that selection or arrangement. It is this protection for compilations of data that no doubt supports those Terms-of-Service claims to ownership of data mentioned above, but the scope and extent of copyright protection in such circumstances is nevertheless limited and uncertain. In the EU, database rights have provided a broader protection for databases, but it still, fundamentally, is not a protection for the data that make up the database.

It is difficult to see where the interest in a data ownership right is coming from. No clear or pressing need to enhance the protection available for data has been identified. Data ownership rights might be more likely to create confusion and uncertainty – and to increase transaction costs and slow innovation – than to improve the current situation. It would be difficult – and hugely problematic – even to begin to try to identify the ‘owners’ of rights in data and to manage the potential competing interests. And while there are undoubtedly issues around the fairness of particular uses of data, or the legitimacy of means used to acquire data, existing laws already offer a range of recourses and remedies that may be applicable in any given case.

The brief summary of our meetings on data ownership is now publicly available, and it addresses these and many other issues relating to data ownership rights. Our conclusions – that there is no evident need for a new data ownership right and that it would be impossibly difficult to define or constrain – offer a caution to those who regard property rights as a panacea in marketplaces of all kinds.